Trying to get compliant with EU AI Act before August
We're a 60-person B2B SaaS company. AI is running in more places than I have a handle on. Sales uses it for outreach drafts. Support has a chatbot on tier-1 tickets. Dev plugged it into code review. An analyst built an internal reporting tool I found out about last month when he mentioned it offhand in a standup.
None of it went through a formal approval process. Tools got adopted, managers approved individual subscriptions without looping in legal or security, and nobody thought to build a list. That worked fine until the EU AI Act became a real deadline.
August 2026—the Article 50 transparency requirements—is close enough that my COO wants a policy before Q3. My legal counsel sent a 40-page summary. My CTO says we're probably fine. I have no idea who's right because I can't even answer the most basic question: what AI are we actually running?
Four things I'm stuck on, in order of how much sleep they're costing me:
The inventory. I need a list of every AI tool and use case before I can do anything else. Did you build that through a survey, through IT asset management, or through department heads? Curious what actually worked versus what turned into a three-month project.
Risk tiers. Our support chatbot touches customer data. Our code review tool is internal only. I'm assuming those are in different compliance buckets, but I don't know how to make that call without a framework.
Evidence. Legal keeps asking for decision records. What we have is Slack threads and email chains going back two years. Is there a practical way to reconstruct that, or do you start fresh from here?
Vendors. Three of our AI tools updated their underlying models in the past six months. Nobody told us; we noticed accidentally. Are we supposed to run a new review every time a vendor pushes an update?
Happy to hear from anyone who's gotten further along than “we should probably do something about this.”